Beware of "match" when using Rails and $_REQUEST in PHP. Use separate actions for GET and requests that change state. It may be possible to bypass built-in security mechanisms, such as CSRF filters, by sending GET requests where the developer expected POST or other state changing request.﻿

Sometimes developers use GET for state-changing requests by purpose. This determines low-skilled developer. In this post I want to describe another vector of attack - GET Accessible Actions(GAA) - whe...